MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


DarkCloud


Vendor detections: 13


Intelligence 13 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405
SHA3-384 hash: cc318c2c4a3938c5c47b6a41ffee12ba8ab414d6b266363c019b2171c7b8ac1b2053e5340525783ce82789000430151f
SHA1 hash: eeb9136bc95279952a45dd44dc92053818c45d7a
MD5 hash: d92277a3b2c0361be28e591344ae9df2
humanhash: neptune-cold-bluebird-maryland
File name:26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405
Download: download sample
Signature DarkCloud
Create hunting rule
File size:1'218'048 bytes
First seen:2026-06-08 09:22:28 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (49'066 x AgentTesla, 20'016 x Formbook, 12'352 x SnakeKeylogger)
ssdeep 24576:wez1Bh39vy/HBs6z5I0FA0NHramkCnPzGN9gaPhd6aXa3P8zWCQgrnNr:wez1Bh34PRKH0tjkCnPzGIaj6aXa/8i2
TLSH T1904522A9120DD90AD0865BB41CE2E0B02B349C98E925EB17DECD7DEFB5B97300A0575F
TrID 73.9% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
6.6% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
6.6% (.EXE) Win64 Executable (generic) (6522/11/2)
4.5% (.EXE) Win32 Executable (generic) (4504/4/1)
2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Magika pebin
Reporter adrian__luca
Tags:DarkCloud exe

Intelligence

File Origin
# of uploads :
1
# of downloads :
57
Origin country :
HU HU
Vendor Threat Intelligence
Malware configuration found for:
RoboSki
Details
Link:
https://research.acce.ciphertechsolutions.com/results/2a334c7a-cfe2-4a87-8347-6e934fada9e5/
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/69744/
Verdict:
Malicious
Score:
99.9%
Link:
https://cyber-fortress.com/docs/result/index.php?id=6a268a313e9eff6a6b68b901
Tags:
infosteal virus micro shell
Result
Verdict:
Malware
Maliciousness:

Behaviour
Creating a file
Creating a window
Сreating synchronization primitives
Creating a process with a hidden window
Creating a file in the %AppData% directory
Enabling the 'hidden' option for recently created files
Adding an access-denied ACE
Creating a file in the %temp% directory
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Forced shutdown of a system process
Adding an exclusion to Microsoft Defender
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
base64 krypt packed similar-threat stealer vbnet
Link:
https://www.filescan.io/uploads/6a268a47554e843ff8640295/reports/e91663a9-28ed-4e57-931f-36b63a01897f/overview
Verdict:
Malicious
Labled as:
Win/malicious_confidence_100%
Link:
https://www.hybrid-analysis.com/sample/26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405
Verdict:
Malicious
File Type:
exe x32
First seen:
2026-05-08T14:10:00Z UTC
Last seen:
2026-06-10T02:49:00Z UTC
Hits:
~1000
Link:
https://opentip.kaspersky.com/26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405/results?tab=lookup
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/4cfa6ad2-7cdb-4048-8d9a-2fa4a0a711d3
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405
Gathering data
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405/
Threat name:
ByteCode-MSIL.Trojan.AgentTesla
Create hunting rule
Status:
Malicious
First seen:
2026-05-08 18:52:41 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=ezmh57lpaq4dnzmqmd4wsp23zbjbmuyp5ln4l5n62afjef4v6qcq._file
Result
Malware family:
n/a
Score:
  8/10
Tags:
discovery execution persistence
Link:
https://tria.ge/reports/260608-lcn21abs8q/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of SetThreadContext
Adds Run key to start application
Checks computer location settings
Executes dropped EXE
Uses the VBS compiler for execution
Command and Scripting Interpreter: PowerShell
Unpacked files
SH256 hash:
26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405
MD5 hash:
d92277a3b2c0361be28e591344ae9df2
SHA1 hash:
eeb9136bc95279952a45dd44dc92053818c45d7a
Link:
https://www.unpac.me/results/88a8b130-8132-4a99-ac7c-58bcd5f4ddfd/
SH256 hash:
08bbb82cc62d70fd48c2fd0d2c59a8f008c80b1d9deac2814f0975216cc0ab94
MD5 hash:
d20b7670418a75870373c4fc0c8fe118
SHA1 hash:
002629814fc59b4a54a49ff75ad742d1f38d950d
Link:
https://www.unpac.me/results/88a8b130-8132-4a99-ac7c-58bcd5f4ddfd/
SH256 hash:
c69656149ce2a148f131e851b2959bcff9f12bcfb4594df7d7487ff93bfe892a
MD5 hash:
5cfa590778d321b4dfd1b4f4aaa837ee
SHA1 hash:
136dfe761501bcc9c5386edfbbeaea24d8b38267
Link:
https://www.unpac.me/results/88a8b130-8132-4a99-ac7c-58bcd5f4ddfd/
SH256 hash:
10d329d21caaa130466427ff625d0bfae6b1f1d26adfefd9f81f8a63f85b88d0
MD5 hash:
8593639303535cbb65d16fdb01b61e5b
SHA1 hash:
5c91fc8aaa38114227fd329bc9159e5eca903f23
Link:
https://www.unpac.me/results/88a8b130-8132-4a99-ac7c-58bcd5f4ddfd/
SH256 hash:
fff1962c5c3199fa982ba73b2553a5901f2a817ae10af198931f392b8ed66e3d
MD5 hash:
c861d16675b2fa5b3e7db0d9d3fcd053
SHA1 hash:
7ae71971d13a2978e0b56f6abb865a74ebfddc49
Detections:
darkcloudstealer
Create hunting rule
Link:
https://www.unpac.me/results/88a8b130-8132-4a99-ac7c-58bcd5f4ddfd/
Parent samples :
f82ba03e14d2cf4c3602478c465c3a10289b6169b6e58046a079637a10888652
26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405
SH256 hash:
3b75425895af4ae3186b36277553641e37ca1d620ae18d68e40d13351b54de6a
MD5 hash:
94d1531b52774dce52a89e33646d5b1d
SHA1 hash:
29bf887b025b97bd7a9e1e261852ba824234a625
Link:
https://www.unpac.me/results/88a8b130-8132-4a99-ac7c-58bcd5f4ddfd/
Malware family:
DarkCloud
Create hunting rule
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/26587efd6f04/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/26587efd6f043836e59060f9693f5bc85216530feadbc5f5bed00a921795f405

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:NETexecutableMicrosoft
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:Sus_CMD_Powershell_Usage
Create hunting rule
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/69744/

Comments